Offensive Security urged Kali Linux users to manually install a new repository signing key to avoid system update failures. This warning followed the loss of the previous signing key, which forced the Kali team to generate a new one. Though the lost key was not compromised, it was still replaced with a new key signed by Kali developers. The change caused signature verification errors when users tried to retrieve new software packages using the outdated key.
OffSec said the issue affects all Kali systems that still rely on the old repository signing key.
These users will encounter “Missing key” errors when attempting updates if they don’t manually install the new key. The Kali repository was frozen on February 18, 2025, to prevent system disruptions during the transition. OffSec accepted full responsibility and admitted that the oversight would impact nearly all Kali Linux installations worldwide.
To fix the problem, OffSec published a terminal command to download and install the updated repository key. They also provided instructions to verify the checksum and examine the contents of the new keyring for authenticity. For users concerned about trust or integrity, OffSec advised reinstalling Kali Linux using official images bundled with the updated keyring. This approach avoids the need for manual configuration and ensures system integrity.
This isn’t the first time Kali Linux users faced keyring update issues. In February 2018, the Kali team allowed the GPG key to expire, prompting a similar manual update. OffSec reminded users that failing to update regularly leads to outdated keyrings and future update errors. The team’s transparency and guidance aim to reduce confusion and help users restore secure and functional update mechanisms.